Trigger word: E-mail monitoring gets easy in Office 365, Exchange

It's now simpler than ever for the boss to watch what you send in e-mail.

Exchange 2013 and Office 365 (O365) include a new feature that can peek into e-mail messages and enclosed documents and then flag them, forward them, or block them entirely based on what it finds. This sort of data loss prevention technology has become increasingly common in corporate mail systems, but its inclusion as a feature in Office 365's cloud service makes it a lot more accessible to organizations that haven't had the budget or expertise to monitor the e-mail lives of their employees.

As we showed in our review of the new Office server platforms, the data loss prevention feature of Microsoft's new messaging platforms can detect things like credit card numbers, social security numbers, and other content that has no business travelling by e-mail. Because of how simple it is to configure rules for Microsoft's DLP and security features, administrators will also have the power to do other sorts of snooping into what's coming and going from users' mailboxes.

Unfortunately, depending on the mix of mail servers in your organization—or which Exchange instances you happen to hit in the O365 Azure cloud—they may not work all the time. And they won't help defeat someone determined to steal data via e-mail.

In tests we performed with DLP and security features, we found that Exchange and O365 were pretty good at catching credit card numbers and other personal identifiable information. However, some of the rules we set for testing didn't take for all of our users. That in part may have been because of the limited rollout of the new Exchange within Microsoft's O365 infrastructure when we were performing the testing. When setting rules, we got a warning from the Exchange Administrative Console:

Not all your servers have been assimilated yet. Try again later.

So in other words, if you're rolling out Exchange 2013 in your organization or are using Office 365 from multiple locations, your mileage with DLP may vary. And even when the rules do work, there are some limits to what you can stop from going out the SMTP gateway.

Exchange 2013 and Office 365 allow rules to be applied to direct mail flow. Those rules can be used for all sorts of things, like rerouting inbound e-mail from one mailbox to another based on the sender, keywords in the subject or contents, and a number of other parameters. For data loss prevention, those rules can be triggered by filters checking for keywords or specific patterns. Those patterns can require some calculations to be made with the text. For example, you won't set off the credit card detection filter provided by Microsoft out of the box unless the numbers properly validate as "real" credit card numbers based on the rules for each issuer.

Exchange and O365's filters can read both message bodies and common file attachments by scanning their content. The filters can also check compressed files for content. We ZIP-compressed documents with content banned by rules put in place to stop them from getting out, including credit card numbers, and the filters caught them with no trouble.

However, if you were intentionally trying to send data out of your organization, you'd probably not send information out as an unprotected document or .ZIP file. You might screenshot the data instead, for example. No DLP filters provided with Exchange and O365 can stop a picture of credit card data from getting out of the sent mailbox. The filters are also defeated by the most basic encryption—substituting letters for numbers, or using leading and trailing numbers to disguise the credit card numbers, for example. Even using something as ancient as ROT-13 works, for example.

So that makes the new DLP features basically useless for blocking anything other than accidental, casual, or poorly executed attempts to expose sensitive data. For any greater level of actual data loss prevention, organizations would still need other measures at the firewall, such as deep packet inspection.

But there is one particular type of monitoring that the DLP rules in Outlook can do well: enforcing other e-mail usage policies by scanning for keyword. Exchange can easily spot the word "resume" in a Word document and forward the message to the employee's manager, or bounce it back, silently delete it, or send it to the spam quarantine for further analysis.

Microsoft's bundling of this sort of technology with Exchange and O365 enterprise editions will probably lead to Google offering similar features to its Apps for Business customers. After all, given that pattern recognition is something in Google's wheelhouse, it isn't too much of a stretch to believe it could offer DLP as part of its Vault e-discovery and archiving service. Google is already pretty good at finding content in Gmail for advertising purposes, as Microsoft has been happy to harp on about in its own marketing efforts for Outlook.com and Office 365.

If you're working for a heavily regulated company or just working for one that's concerned about how you're using their computing resources, you should just expect this sort of monitoring. But with DLP now (relatively) affordable for companies of all sizes through O365, the population of people who could conceivably be monitoring co-workers' e-mails has risen dramatically—no deep packet inspection required. Think about that the next time you use your work e-mail for personal business.

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

Seems US supervisors and managers are severely underused and underemployed. How can be that "they" spend so much time into snooping into their employees emails. Additionally almost everybody today possesses sort of smartphone with email functionality. Why would anybody at their right minds use the companies email system for private emails, well aware the fact that it abides by the companies compliance rules ?

Seems US supervisors and managers are severely underused and underemployed. How can be that "they" spend so much time into snooping into their employees emails. Additionally almost everybody today possesses sort of smartphone with email functionality. Why would anybody at their right minds use the companies email system for private emails, well aware the fact that it abides by the companies compliance rules ?

From what my experience, managers consider it their responsibility to micromanage. It is more important, for example, that an employees butt is in a chair 9 hours a day, instead of what the employee gets done. It says a lot about why our economy is such a disaster. A little less micromanaging might do a lot to build some steam in outputs and employee engagement.

I can't help but to feel an "anti-big brother" or "they're watching you" vibe from reading the article's title. I'm glad that the content did not reflect the same and was a concise and accurate summary of the technology, but this type of monitoring and filtering is not new.. it's just easier with the new Office suite.

I forget the brilliant mind that first said it, but it was once said that sending an email is like shouting out of an open window: anyone who is set up an listening can hear what you say. Most emails are transmitted in the clear with NO encryption whatsoever. It's foolish to think that anything that is said in emails is confidential, unless encrypted with PGP or any other security/certificate technology. It's also foolish to think that your employer is not going to watch out for their best interest, like making sure you do your work instead of forwarding around some garbage you shouldn't even waste a webmail's storage for, let alone their backed up enterprise mail system's storage. Enterprise mail costs are exploding. It's a little unfair to classify a sysadmin's attempt to keep unnecessary emails down as invading your privacy. If it's a work email account, it's not your email account, and as weird as it might feel, there should be no expectation of privacy.

Your employer isn't providing a mail system with high up time failover clustering with weeks of backups so you can forward around puppy and kitty memes and feel-good stories about beating cancer or true love prevailing. There should be no expectation of anonymity when you are using a company resource for something you are not supposed to.

Microsoft's bundling of this sort of technology with Exchange and O365 enterprise editions will probably lead to Google offering similar features to its Apps for Business customers.

Google already does through Postini and its content management feature. Granted, It is an additional product for an extra fee. I have not messed with the function that much, so I can't give a working opinion. However, it has been in place for quite a while.

Postini services are getting merged into Google Message Security, Discovery, Encryption and Vault this year. It will be interesting to see how this plays out on a feature and cost level versus O365.

No kidding. I can't even get Outlook to reliably use the right email account to send my email. (Best example: new emails can't be sent via IMAP account when separate Exchange account with separate folders is not connected, though replies work fine.) I certainly wouldn't expect it to do this 100%.

Microsoft's bundling of this sort of technology with Exchange and O365 enterprise editions will probably lead to Google offering similar features to its Apps for Business customers.

Google already does through Postini and its content management feature. Granted, It is an additional product for an extra fee. I have not messed with the function that much, so I can't give a working opinion. However, it has been in place for quite a while.

Postini services are getting merged into Google Message Security, Discovery, Encryption and Vault this year. It will be interesting to see how this plays out on a feature and cost level versus O365.

Google offers all of this through their integrated solution besides archiving and e-discovery. You can setup filters based on OU and also create your own regex to find items send in email it also offers the ability to flag, bcc, mark or add custom headers to the message.

Seems US supervisors and managers are severely underused and underemployed. How can be that "they" spend so much time into snooping into their employees emails.

They're not spending time snooping email. (At east good managers aren't).

This functionality is mainly for compliance purposes (SEC, FINRA, HIPPA, etc) where it is required to capture and preserve all communications for years. Some of it may be reviewed based on keyword findings, but nobody is reviewing every single email a company sends.

If someone is determined enough to send out their credit card number by email using an image, I think they deserve the results of that action.

I think the idea here is that you're sending a picture of someone else's credit card information. Or, more accurately, lots of other people's information from a database.

I can't come up with a reason you would WANT to send your own credit card number by email.

I'd assume it'd be easier to just whip out the cell phone camera and do it when you get home. Unless you work in one of those places that restrict cell phone cameras, but very few organizations block their internal folks from that sort of tech.

From what my experience, managers consider it their responsibility to micromanage. It is more important, for example, that an employees butt is in a chair 9 hours a day, instead of what the employee gets done.

In my experience, the more F'd up a group or company is already, the more likely they are to double down and ratchet up the micro management and strict counter productive policies.

In any event, I think the two big users for this will be the Legal group (discovery) and the incident responders (anti hacking and dealing with outages) , not HR or management. At least in a well functioning medium size company.

Can you provide some more details on this? If I click my gmail address on any of google's search pages it gives me the option to view my account/profile/settings. No links directly to gmail. Any links I do find for gmail such as on the top bar go through the normal mail.google.com address which is no different than going to gmail directly.

Al these overrated features yet, no free exchange support for basic emails. I'll stick with IMAP-IDLE and DAV support, thanks.

Already in Hotmail/Outlook.com if you mean ActiveSync.

Plugin? Addons? Non-native Exchange solutions? Yes, have them on right now, paired with GO SyncMod, sadly. Thunderbird right now is (partially) but surely doing a good job, though IMAP still has some irks than the polished EAS protocol. I don't understand why Mobiles have activesync, but not desktop use. No wonder Google pulled out, about time.

It's difficult to monitor emails that are encrypted. The only way to monitor encrypted emails is to spend the time and money to decrypt them. Sure you could just delete them, but that makes it rather obvious that it's being parsed.

Seems US supervisors and managers are severely underused and underemployed. How can be that "they" spend so much time into snooping into their employees emails. Additionally almost everybody today possesses sort of smartphone with email functionality. Why would anybody at their right minds use the companies email system for private emails, well aware the fact that it abides by the companies compliance rules ?

From what my experience, managers consider it their responsibility to micromanage. It is more important, for example, that an employees butt is in a chair 9 hours a day, instead of what the employee gets done. It says a lot about why our economy is such a disaster. A little less micromanaging might do a lot to build some steam in outputs and employee engagement.

These kinds of features have nothing to do with micromanaging and snooping in principle. That's not to say it could be abused in that way, but if that's the sort of company you work for I would suggest getting a new job. Back in the real world there are legitimate needs for companies that deal with regulatory compliance of all sorts to protect themselves from findings that come with real monetary penalties. One "oops" email with employee demographic information could bring with it damages to both the bottom line and reputation that a simple DLP rule could prevent. I have every intention of deploying it for just that reason.

If someone is sending out resumes, that's between them and their manager - I could care less.

The vast majority of data leaks are unintentional. Someone accidentally sends a spreadsheet full of credit cards instead of a budget spreadsheet, or sends data that was meant for a single recipient to a large distribution list. If someone wants to leak data, it's very hard to prevent them from doing so unless you're extremely locked down (no USB ports on computers, cell phones quarantined at entrance, etc) and email is hardly the preferred method as it leaves a huge paper trail. DLP is a tool for organizations to help their users prevent data leaks and raise awareness of what data is flowing where. If organizations want to spy on their users, this is a really inefficient way to do so.

The feature most overlooked is the client-side detection and override. It goes like this: the email content scan is done on the client side as the email is composed (no data is captured or logged). If a rule is hit, a notification appears in Outlook essentially asking the user, "are you sure you want to send this? It contains <x> and you're sending to <y>." The user can hit "yes, I'm sure," which will then bypass the server-side rule and send the mail. This is the core scenario: help well-intentioned users to not screw up.

Disclaimer: I work for Microsoft but these are my personal opinions on email DLP in general.

If someone is determined enough to send out their credit card number by email using an image, I think they deserve the results of that action.

I think the idea here is that you're sending a picture of someone else's credit card information. Or, more accurately, lots of other people's information from a database.

I can't come up with a reason you would WANT to send your own credit card number by email.

Believe me there are many organisation that are just not setup correctly.

In the last two months, I had to apply for a type of citizenship validation document with the UKBA (UK Border Agency). Payment was only possible through Credit Card. How did I have to give them this information? All my credit card details including CVV number had to be listed on the application form and then posted by snail mail to them. There was no other way to this online or in person. You can imagine how I felt doing this.

I cancelled my card after the transaction was complete thereafter and got a new one.

I think it is also time I get a dedicated credit card with a low credit limit to use at those stupid organisations still living in the dark ages. There is no other 'competitor' for the UKBA! Of course I also try never give my CC details to small unknown web companies and if I have to, I make sure they support paypal so I can use that as the payment mechanism.

Regarding the Article: DLP is a great tool but it is very complex to implement. It also needs to be holistically applied at all network levels including monitoring the computer/USB ports. If users find that sending stuff via email gets it blocked, they will then do the other 'wise' thing - copy it to a USB key and then send it via personal mail. An even easier method is to use their personal webmail solution (if not already blocked) to directly to send said file. This is why you need the corporate firewalls and content filtering gateways to also be doing DLP checking.

Is DLP clever enough to understand the semantic difference between words: resumé (also spelt resume) and the classic definition: resume. If I wrote, "the app did not resume" is that enough for the filter to get tripped up

People will abuse DLP technology, but the real point of it is to stop unintentional or careless mistakes.

Case in point: Say you use the LinkedIn plugin for Office 2013 and sync your LinkedIn address book to your outlook contacts. You then go to forward an email with a Visio diagram of a secure internal network to a colleague on your iPhone -- except you don't realize that the iPhone contact you sent in was your colleague's home email address synced from Linked in.

DLP could easily catch that (by IP address text or some other identifier) and not allow the message to leave your organization.